Transparent Proxy - secure, isolated box (JonDoBOX)

Ideas to everything that could be useful. Proposals and tips for JonDonym programming.
cane

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by cane » Sat Apr 07, 2012 7:51

No socks2http would be needed.

JonDo is a HTTP and SOCKS5 proxy, both at one port (port 4001 by default).

The SOCKS support is disabled on free cascades by the exit mix. (or better: SOCKS support is added on premium cascades by an additional socks proxy server on the exit mix)

You can use JonDo like a HTTP proxy without any changes and you can use JonDo like a SOCKS5 proxy without any changes. Only for using JonDo like a transparent proxy you need a small tool.

Only for your information:

For HTTP proxies the DNS resolution has to be done by the proxy, not by the application. No DNS leaks possible.

For SOCKS5 proxies the DNS resolution can be done by the proxy, if the application supports this feature, but can be done by the aplication too. DNS leaks possible, you have to add a proxyfied DNS for security reasons.

For SOCKS4 proxies the DNS resolution has to be done by the application, not supported by SOCKS4. You have to add a proxyfied DNS.

proper
Posts: 39
Joined: Sun Apr 01, 2012 21:19

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by proper » Sat Apr 07, 2012 14:38

Not sure, we talk about the same thing.
My last posting was related to Howto add Transparent Proxy to JonDo.
It works only with JonDonym premium services.
My last posting can be summarized
"If there was something like Trans2http, transparent proxying were possible with the JonDonym free services as well.

or Network layer -> transsocks -> socks2http -> JonDonym free services could possibly also work.".

cane

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by cane » Sat Apr 07, 2012 16:36

It will not work as expected.

Because the internet application does not anythink about the HTTP proxy it will do the DNS queries by self. You need a local DNS server to serve the DNS resolution. The local DNS server has to use port 80 or 443 with TCP for connects to upstream DNS servers. In this case you can use the transocks with free cascades.

I wrote an appropriate DNS server a few years ago: httpsdnsd (hide the DNS traffic in HTTPS traffic to avoid DNS censorship). I will try to get the old code running.

But now I am in holiday for a week. I will come back to this problem later, afer holidays.

proper
Posts: 39
Joined: Sun Apr 01, 2012 21:19

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by proper » Tue Apr 10, 2012 2:48

cane wrote:It will not work as expected.

Because the internet application does not anythink about the HTTP proxy it will do the DNS queries by self.
No leak should be possible, as the firewall ensures, that the workstation can only talk to JonDo.
cane wrote:You need a local DNS server to serve the DNS resolution.
Running on the workstation?
cane wrote:In this case you can use the transocks with free cascades.
That'd be great. Free users could browse and premium users anything.
cane wrote:I wrote an appropriate DNS server a few years ago: httpsdnsd (hide the DNS traffic in HTTPS traffic to avoid DNS censorship).
I'll found a couple of different references for this term. Please post a link.
cane wrote:I will try to get the old code running.
Great!

proper
Posts: 39
Joined: Sun Apr 01, 2012 21:19

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by proper » Sun Apr 22, 2012 15:48

Any updates?

cane

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by cane » Sun Apr 22, 2012 18:08

We are working, please give us 2-3 days more.

cane

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by cane » Mon Apr 23, 2012 19:43

Ok - have a look at: https://anonymous-proxy-servers.net/en/ ... socks.html

I hope, it will be useful for you.

proper
Posts: 39
Joined: Sun Apr 01, 2012 21:19

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by proper » Tue Apr 24, 2012 6:42

Very interesting. Now that we have httpsdnsd running, would this setup work:
1) network layer (DNS) -> httpsdnsd -> JonDo https proxy port
2) network layer (TCP) -> tranSOCKS_ev -> socks2http -> JonDonym free cascades?

Another, unrelated question. JonDonym premium services support UDP, why don't you redirect UDP to tranSOCKS_ev?

There is one typo on that site: supo.

cane

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by cane » Wed Apr 25, 2012 8:43

why don't you redirect UDP to tranSOCKS_ev?
tranSOCKS_ev does not support UDP, it can handle only for TCP traffic.

proper
Posts: 39
Joined: Sun Apr 01, 2012 21:19

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by proper » Wed Apr 25, 2012 13:19

I was successfully able, to transparently tunnel through JonDonym free cascades. You provided fine instructions how to use httpsdnsd, which enabled DNS. iptables redirects ports 80 and 443 to Privoxy on port 8118 and Privoxy forwards them to the http proxy JonDo on standard port 4001.

(Instructions not complete yet: httpsdnsd part missing; only local redirection for anonuser; no local redirection or anonymizing middlebox; will improve.)

https://trac.torproject.org/projects/to ... ntProxying (scroll a bit down to see the firewall rules)

Other, unrelated comments following...
iptables -t nat -A OUTPUT -m owner --uid-owner anonuser --dport 53 -j REDIRECT --to-ports 4053
iptables -t filter -A OUTPUT -m owner --uid-owner anonuser --dport 4053 -j ACCEPT
iptables v1.4.10: unknown option `--dport'
Try `iptables -h' or 'iptables --help' for more information.

Looks like you have to add -p udp and -p tcp. --dport doesn't work without -p switch.
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonuser -j DROP
Why not change DROP to REJECT?
supo aptitude install libnet-ssleay-perl libnet-server-perl libnet-dns-perl libxml-simple-perl liblog-log4perl-perl
typo: supo
cane wrote:
why don't you redirect UDP to tranSOCKS_ev?
tranSOCKS_ev does not support UDP, it can handle only for TCP traffic.
That is a shame.
https://en.wikipedia.org/wiki/Comparison_of_proxifiers
Perhaps switch to Dante?

Post Reply